FS#59087 : [fail2ban] Please add systemd hardening

FS#59087 - [fail2ban] Please add systemd hardening

Attached to Project: Community Packages
Opened by Francois (francoism90) - Wednesday, 20 June 2018, 14:11 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 21 June 2018, 16:53 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
It would be better to provide a more secure systemd service by default, by using a drop-in unit.

The wiki mention how to do this, but still depend on user actions.

e.g.:

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
NoNewPrivileges=yes
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

Additional info:
* fail2ban

Steps to reproduce:
* systemctl cat fail2ban.service

Thanks.

This task depends upon

Closed by Doug Newgard (Scimmia)
Thursday, 21 June 2018, 16:53 GMT
Reason for closing: Won't implement

Comment by Doug Newgard (Scimmia) - Thursday, 21 June 2018, 16:53 GMT

Arch doesn't override upstream service files with dropins by default. This is an administrator action. If you want the service file changed, talk to upstream.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#59087 - [fail2ban] Please add systemd hardening

Details

Loading...